Benjamin "Benzo" Harris was formerly New Media Producer for Healthcare IT News. He managed social media for Healthcare IT News, Government Health IT, EHRWatch, and HIEWatch. Follow Benzo @BHarris_HITN.

3 best practices for internal security

January 11, 2013

When it comes to securing a hospital's IT, the focus is on keeping unwanted or unauthorized people out of the system. Strengthening a system to bar access to the wrong people while making it easy for the right ones to get in is always on IT managers' minds. What most people think about in the realm of security is referred to as "perimeter control," or securing a system from outside intruders.

But this is not the only area that needs focus,as there are just as many threats to network security within an organization as there are without. Paul Christman, Vice President, Public Sector Sales and Marketing at Dell, speaks about three key elements of internal controls that help ensure a system's IT is as strong inside a hospital's corridors as it on the outside.

1. Two-factor identification. Probably the most familiar to the security-minded, two factor identification is the next step beyond the traditional system of requiring a username and password for access. "Username/passwords are the foundation for a lot of our internal security, but passwords can get lost, passwords can get hacked," says Christman. Much more secure is coupling the username/password combination with an additional token, like a key card or some other unique device that helps identify a person trying to log on as who they should be. This second factor is only limited by the bounds of an IT department's imagination- and its budget. "It could be a key fob, you see people carrying around little tokens that have random number generators," says Christman. He goes on to describe advances being made to develop "soft tokens," or a strong second factor that can reside on something almost every hospital worker is permanently attached to- a person's mobile device. Two factor identification, while not bulletproof, makes simply cracking a password much less effective. Christman likens the system to an ATM machine, saying that just a PIN or card alone will not grant access – the two are needed in conjunction to make the system work.

2. Identity of a service. Anybody in a healthcare system probably has to deal with more than a handful of passwords. (This reporter has to keep track of about 25 for work and personal use.) Christman says this horde of passwords is part of the problem. Another problem is keeping track of all of a system's users and the hassles that entails. The solution to this lies in authenticating a user's device to connect to a central server, which then passes on the authentication details to the specific applications that a user is approved to access. "The system understands who I am, the authentication engine passes my credentials on to the software," says Christman. "You can control these credentials from one place and you can shut someone out. You don't have to worry about all of the different places their identity was stored." Authenticating through identity of service also has its added security benefits. "If you just have a username/password to a website, you can share that on a Post-It note," says Christman. "It's horribly insecure." With identity of service, there are no passwords to share. Also, when someone leaves the system or loses a device, removing privileges is as simple as a few clicks.

View a quick summary of the results of a healthcare mobility survey about top priorities, investments and mobility strategies being implemented by healthcare providers. See how organizations are implementing changes to address:
Cost reductions, while improving access to care.
Reform mandates and financial penalties.
Aging populations and chronic diseases Learn More

In recent years, there has been a great deal of discussion about how to engage patients in their care. Patient engagement has always been considered a good thing in practices and health care organizations. Today it is vital to the business of delivering care. Learn More

The 2014 State of Value-Based Reimbursement is a national opinion research study of 464 payers and providers, conducted by ORC International, and commissioned by McKesson Health Solutions. The study clearly documents a transition from a volume-based model of reimbursement to models based on measures of value. Both payers and providers project that value-based reimbursement will overtake fee for service by the year 2020. But the study also reveals significant challenges, particularly in technology and physician buy-in, to fully implementing these models. Learn More

Where and how they store their data is of particular interest to healthcare organizations these days — especially given the tremendous growth and interest in Big Data and data analytics. View this infographic for a look into how healthcare is growing in the cloud. Learn More

When Adventist Health wanted a mobility solution to keep their workforce connected and productive while on the go, they turned to the experts at PC Connection, Inc. for help selecting and deploying a new mobile platform. Learn More

The dangers of data breach make for great headlines: data held for ransom, financial fraud, medical identity theft. But despite the risks of a breach, the most immediate threat in most security incidents is failure to comply with regulatory requirements. More

Ponemon's recently published 2015 Study on Privacy & Data Security of Healthcare Data makes one point crystal clear: healthcare organizations must do more to protect sensitive patient information from the wide variety of data breach threats. More

As we envision the next generation of electronic tools, support for team-based care with handoff management and closed-loop communication among the stakeholders will be the most important new features. More